├── CISA Alert AA22-110A ├── APT28.json ├── APT29.json ├── Dragonfly.json ├── Gamaredon_Group.json ├── Havex.json ├── README.md ├── Sandworm_Team.json ├── Smoke_Loader.json ├── TEMP.Veles.json ├── Turla.json ├── WellMess.json ├── Wizard_Spider.json ├── combined.json └── combined.png ├── CISA Alert AA22-216A ├── AZORult.json ├── Agent_Tesla.json ├── CISA Top Malware Report - TTP Detection & Test Mapping Counts.csv ├── CISA_Alert_AA22-216A_-_All_Malware_Combined.json ├── CISA_Alert_AA22-216A_-_All_Malware_Combined_sorted.json ├── Formbook.json ├── GootLoader.json ├── LokiBot.json ├── MOUSEISLAND.json ├── NanoCore.json ├── Qakbot.json ├── Remcos.json ├── TrickBot.json ├── Ursnif.json ├── d3fend_cisaBlog.csv └── d3fend_cisaBlog.xlsx ├── Current Intelligence Reports ├── BumbleBee Roasts Its Way to Domain Admin – The DFIR Report.json ├── Karakurt Data Extortion Group CISA.json ├── LockBit 3.0 Update Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques - SentinelOne.json ├── SELECT XMRig FROM SQLServer.json └── current_intel_index.json ├── LICENSE ├── README.md ├── Recorded_Future_2021_Malware_and_TTP_Threat_Landscape ├── README.md └── Recorded_Future_2021_Malware_and_TTP_Threat_Landscape.json ├── Recorded_Future_5_Common_Ransomware_ATT&CK_Techniques ├── README.md └── Recorded_Future_5_Common_Ransomware_ATT&CK_Techniques.json ├── Red Canary 2022 Threat Detection Report ├── README.md └── Red_Canary_2022_Threat_Detection_Report.json ├── Russia-TTP-Mappings ├── README.md ├── actor-groups │ ├── APT28.json │ ├── APT29.json │ ├── DEV-0586 : WhisperGate.json │ ├── Gamaredon Group.json │ └── Sandworm.json ├── combined-sorted.json ├── combined.json ├── malware │ ├── Conti.json │ └── Cyclops Blink.json └── russia-ukraineTTPs.png ├── Stealer Malware ├── Astaroth.json ├── Chaes.json ├── Jester Stealer.json ├── Lokibot.json ├── OwaAuth.json ├── QuietSieve.json ├── README.md ├── ThiefQuest.json ├── Valak.json ├── combined.json └── combined.png └── base.json /CISA Alert AA22-110A/Havex.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Havex", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a\n\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\n\nhttps://collaborate.mitre.org/attackics/index.php/Software/S0003\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud April 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1547.001", 38 | "tactic": "persistence", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1547.001", 49 | "tactic": "privilege-escalation", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1055", 60 | "tactic": "defense-evasion", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1055", 71 | "tactic": "privilege-escalation", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1070.004", 82 | "tactic": "defense-evasion", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1555.003", 93 | "tactic": "credential-access", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1087.003", 104 | "tactic": "discovery", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1083", 115 | "tactic": "discovery", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1057", 126 | "tactic": "discovery", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1082", 137 | "tactic": "discovery", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1016", 148 | "tactic": "discovery", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1033", 159 | "tactic": "discovery", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1560", 170 | "tactic": "collection", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1132.001", 181 | "tactic": "command-and-control", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | } 190 | ], 191 | "gradient": { 192 | "colors": [ 193 | "#ffffffff", 194 | "#ff6666ff" 195 | ], 196 | "minValue": 0, 197 | "maxValue": 1 198 | }, 199 | "legendItems": [], 200 | "metadata": [], 201 | "links": [], 202 | "showTacticRowBackground": false, 203 | "tacticRowBackground": "#dddddd", 204 | "selectTechniquesAcrossTactics": true, 205 | "selectSubtechniquesWithParent": false 206 | } 207 | -------------------------------------------------------------------------------- /CISA Alert AA22-110A/README.md: -------------------------------------------------------------------------------- 1 | # CISA Alert AA22-110A 2 | Heatmaps for most of the threat actor groups and malware referenced in CISA's April 2022 alert, "[Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure](https://www.cisa.gov/uscert/ncas/alerts/aa22-110a)" 3 | 4 | Paste .json file contents into the "Threat Intelligence" dropdown on the **[Threat Alignment page](https://controlcompass.github.io/risk)** of the open-source [Control Validation Compass](https://controlcompass.github.io/) project, to instantly surface technical & policy controls and offensive security tests aligned with these techniques. 5 | 6 | Snapshot of the combined view of TTPs for all 11 adversaries (json version [here](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/blob/main/CISA%20Alert%20AA22-110A/combined.json)): 7 | ![AA22-110A TTPs](https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/CISA%20Alert%20AA22-110A/combined.png) 8 | -------------------------------------------------------------------------------- /CISA Alert AA22-110A/Smoke_Loader.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Smoke Loader", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a\n\nhttps://attack.mitre.org/versions/v10/software/S0226/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud April 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1114.001", 38 | "tactic": "collection", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1547.001", 49 | "tactic": "persistence", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1547.001", 60 | "tactic": "privilege-escalation", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1071.001", 71 | "tactic": "command-and-control", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1053.005", 82 | "tactic": "execution", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1053.005", 93 | "tactic": "persistence", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1053.005", 104 | "tactic": "privilege-escalation", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1140", 115 | "tactic": "defense-evasion", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1555.003", 126 | "tactic": "credential-access", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1552.001", 137 | "tactic": "credential-access", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1055", 148 | "tactic": "defense-evasion", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1055", 159 | "tactic": "privilege-escalation", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1055.012", 170 | "tactic": "defense-evasion", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1055.012", 181 | "tactic": "privilege-escalation", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1059.005", 192 | "tactic": "execution", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1083", 203 | "tactic": "discovery", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1497.001", 214 | "tactic": "defense-evasion", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1497.001", 225 | "tactic": "discovery", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1027", 236 | "tactic": "defense-evasion", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1105", 247 | "tactic": "command-and-control", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | } 256 | ], 257 | "gradient": { 258 | "colors": [ 259 | "#ffffffff", 260 | "#ff6666ff" 261 | ], 262 | "minValue": 0, 263 | "maxValue": 1 264 | }, 265 | "legendItems": [], 266 | "metadata": [], 267 | "links": [], 268 | "showTacticRowBackground": false, 269 | "tacticRowBackground": "#dddddd", 270 | "selectTechniquesAcrossTactics": true, 271 | "selectSubtechniquesWithParent": false 272 | } 273 | -------------------------------------------------------------------------------- /CISA Alert AA22-110A/TEMP.Veles.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "TEMP.Veles", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a\n\nhttps://attack.mitre.org/versions/v10/groups/G0088/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud April 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1583.003", 38 | "tactic": "resource-development", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1003.001", 49 | "tactic": "credential-access", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1133", 60 | "tactic": "persistence", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1133", 71 | "tactic": "initial-access", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1053.005", 82 | "tactic": "execution", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1053.005", 93 | "tactic": "persistence", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1053.005", 104 | "tactic": "privilege-escalation", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1036.005", 115 | "tactic": "defense-evasion", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1021.001", 126 | "tactic": "lateral-movement", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1021.004", 137 | "tactic": "lateral-movement", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1059.001", 148 | "tactic": "execution", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1070.006", 159 | "tactic": "defense-evasion", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1070.004", 170 | "tactic": "defense-evasion", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1074.001", 181 | "tactic": "collection", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1078", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1078", 203 | "tactic": "persistence", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1078", 214 | "tactic": "privilege-escalation", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1078", 225 | "tactic": "initial-access", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1571", 236 | "tactic": "command-and-control", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1027.005", 247 | "tactic": "defense-evasion", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1546.012", 258 | "tactic": "privilege-escalation", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1546.012", 269 | "tactic": "persistence", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1588.002", 280 | "tactic": "resource-development", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1505.003", 291 | "tactic": "persistence", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | } 300 | ], 301 | "gradient": { 302 | "colors": [ 303 | "#ffffffff", 304 | "#ff6666ff" 305 | ], 306 | "minValue": 0, 307 | "maxValue": 1 308 | }, 309 | "legendItems": [], 310 | "metadata": [], 311 | "links": [], 312 | "showTacticRowBackground": false, 313 | "tacticRowBackground": "#dddddd", 314 | "selectTechniquesAcrossTactics": true, 315 | "selectSubtechniquesWithParent": false 316 | } 317 | -------------------------------------------------------------------------------- /CISA Alert AA22-110A/WellMess.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "WellMess", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a\n\nhttps://attack.mitre.org/software/S0514/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud April 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1033", 38 | "tactic": "discovery", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1069.002", 49 | "tactic": "discovery", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1082", 60 | "tactic": "discovery", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1071.001", 71 | "tactic": "command-and-control", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1071.004", 82 | "tactic": "command-and-control", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1005", 93 | "tactic": "collection", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1140", 104 | "tactic": "defense-evasion", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1016", 115 | "tactic": "discovery", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1059.001", 126 | "tactic": "execution", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1059.003", 137 | "tactic": "execution", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1001.001", 148 | "tactic": "command-and-control", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1573.001", 159 | "tactic": "command-and-control", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1573.002", 170 | "tactic": "command-and-control", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1132.001", 181 | "tactic": "command-and-control", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1105", 192 | "tactic": "command-and-control", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | } 201 | ], 202 | "gradient": { 203 | "colors": [ 204 | "#ffffff", 205 | "#ff6666" 206 | ], 207 | "minValue": 0, 208 | "maxValue": 1 209 | }, 210 | "legendItems": [], 211 | "metadata": [], 212 | "links": [], 213 | "showTacticRowBackground": false, 214 | "tacticRowBackground": "#dddddd", 215 | "selectTechniquesAcrossTactics": true, 216 | "selectSubtechniquesWithParent": false 217 | } 218 | -------------------------------------------------------------------------------- /CISA Alert AA22-110A/combined.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/1f4490ca6a11a26a410d8d976e332d4589403053/CISA Alert AA22-110A/combined.png -------------------------------------------------------------------------------- /CISA Alert AA22-216A/AZORult.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "AZORult", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Source: https://attack.mitre.org/versions/v11/software/S0344/", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1113", 38 | "tactic": "collection", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1033", 49 | "tactic": "discovery", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1082", 60 | "tactic": "discovery", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1140", 71 | "tactic": "defense-evasion", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1555.003", 82 | "tactic": "credential-access", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1552.001", 93 | "tactic": "credential-access", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1055.012", 104 | "tactic": "defense-evasion", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1055.012", 115 | "tactic": "privilege-escalation", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1016", 126 | "tactic": "discovery", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1070.004", 137 | "tactic": "defense-evasion", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1083", 148 | "tactic": "discovery", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1057", 159 | "tactic": "discovery", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1573.001", 170 | "tactic": "command-and-control", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1012", 181 | "tactic": "discovery", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1134.002", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1134.002", 203 | "tactic": "privilege-escalation", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1105", 214 | "tactic": "command-and-control", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1124", 225 | "tactic": "discovery", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | } 234 | ], 235 | "gradient": { 236 | "colors": [ 237 | "#ff6666ff", 238 | "#ffe766ff", 239 | "#8ec843ff" 240 | ], 241 | "minValue": 0, 242 | "maxValue": 100 243 | }, 244 | "legendItems": [], 245 | "metadata": [], 246 | "links": [], 247 | "showTacticRowBackground": false, 248 | "tacticRowBackground": "#dddddd", 249 | "selectTechniquesAcrossTactics": true, 250 | "selectSubtechniquesWithParent": false 251 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/Agent_Tesla.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Agent Tesla", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Source: https://attack.mitre.org/versions/v11/software/S0331/", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1047", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1113", 49 | "tactic": "collection", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1033", 60 | "tactic": "discovery", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1547.001", 71 | "tactic": "persistence", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1547.001", 82 | "tactic": "privilege-escalation", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1564.003", 93 | "tactic": "defense-evasion", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1564.001", 104 | "tactic": "defense-evasion", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1115", 115 | "tactic": "collection", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1082", 126 | "tactic": "discovery", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1071.003", 137 | "tactic": "command-and-control", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1071.001", 148 | "tactic": "command-and-control", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1053.005", 159 | "tactic": "execution", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1053.005", 170 | "tactic": "persistence", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1053.005", 181 | "tactic": "privilege-escalation", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1140", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1562.001", 203 | "tactic": "defense-evasion", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1555", 214 | "tactic": "credential-access", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1555.003", 225 | "tactic": "credential-access", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1552.002", 236 | "tactic": "credential-access", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1552.001", 247 | "tactic": "credential-access", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1055", 258 | "tactic": "defense-evasion", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1055", 269 | "tactic": "privilege-escalation", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1055.012", 280 | "tactic": "defense-evasion", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1055.012", 291 | "tactic": "privilege-escalation", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1218.009", 302 | "tactic": "defense-evasion", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1560", 313 | "tactic": "collection", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1185", 324 | "tactic": "collection", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1112", 335 | "tactic": "defense-evasion", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1125", 346 | "tactic": "collection", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1016", 357 | "tactic": "discovery", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1087.001", 368 | "tactic": "discovery", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1497", 379 | "tactic": "defense-evasion", 380 | "score": 1, 381 | "color": "", 382 | "comment": "", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1497", 390 | "tactic": "discovery", 391 | "score": 1, 392 | "color": "", 393 | "comment": "", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1204.002", 401 | "tactic": "execution", 402 | "score": 1, 403 | "color": "", 404 | "comment": "", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1057", 412 | "tactic": "discovery", 413 | "score": 1, 414 | "color": "", 415 | "comment": "", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | }, 421 | { 422 | "techniqueID": "T1048.003", 423 | "tactic": "exfiltration", 424 | "score": 1, 425 | "color": "", 426 | "comment": "", 427 | "enabled": true, 428 | "metadata": [], 429 | "links": [], 430 | "showSubtechniques": false 431 | }, 432 | { 433 | "techniqueID": "T1566.001", 434 | "tactic": "initial-access", 435 | "score": 1, 436 | "color": "", 437 | "comment": "", 438 | "enabled": true, 439 | "metadata": [], 440 | "links": [], 441 | "showSubtechniques": false 442 | }, 443 | { 444 | "techniqueID": "T1027", 445 | "tactic": "defense-evasion", 446 | "score": 1, 447 | "color": "", 448 | "comment": "", 449 | "enabled": true, 450 | "metadata": [], 451 | "links": [], 452 | "showSubtechniques": false 453 | }, 454 | { 455 | "techniqueID": "T1056.001", 456 | "tactic": "collection", 457 | "score": 1, 458 | "color": "", 459 | "comment": "", 460 | "enabled": true, 461 | "metadata": [], 462 | "links": [], 463 | "showSubtechniques": false 464 | }, 465 | { 466 | "techniqueID": "T1056.001", 467 | "tactic": "credential-access", 468 | "score": 1, 469 | "color": "", 470 | "comment": "", 471 | "enabled": true, 472 | "metadata": [], 473 | "links": [], 474 | "showSubtechniques": false 475 | }, 476 | { 477 | "techniqueID": "T1203", 478 | "tactic": "execution", 479 | "score": 1, 480 | "color": "", 481 | "comment": "", 482 | "enabled": true, 483 | "metadata": [], 484 | "links": [], 485 | "showSubtechniques": false 486 | }, 487 | { 488 | "techniqueID": "T1105", 489 | "tactic": "command-and-control", 490 | "score": 1, 491 | "color": "", 492 | "comment": "", 493 | "enabled": true, 494 | "metadata": [], 495 | "links": [], 496 | "showSubtechniques": false 497 | }, 498 | { 499 | "techniqueID": "T1124", 500 | "tactic": "discovery", 501 | "score": 1, 502 | "color": "", 503 | "comment": "", 504 | "enabled": true, 505 | "metadata": [], 506 | "links": [], 507 | "showSubtechniques": false 508 | } 509 | ], 510 | "gradient": { 511 | "colors": [ 512 | "#ff6666ff", 513 | "#ffe766ff", 514 | "#8ec843ff" 515 | ], 516 | "minValue": 0, 517 | "maxValue": 100 518 | }, 519 | "legendItems": [], 520 | "metadata": [], 521 | "links": [], 522 | "showTacticRowBackground": false, 523 | "tacticRowBackground": "#dddddd", 524 | "selectTechniquesAcrossTactics": true, 525 | "selectSubtechniquesWithParent": false 526 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/Formbook.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Formbook", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Sources:\n\nhttps://www.fortinet.com/blog/threat-research/deconstructing-an-evasive-formbook-campaign-leveraging-covid-19-themes\n\nhttps://subscription.packtpub.com/book/security/9781838556372/6/ch06lvl1sec27/mapping-with-attandck\n\nhttps://socprime.com/blog/new-formbook-variant-targets-users-in-the-wild/", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1204", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1112", 49 | "tactic": "defense-evasion", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1027", 60 | "tactic": "defense-evasion", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1497", 71 | "tactic": "defense-evasion", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1497", 82 | "tactic": "discovery", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1012", 93 | "tactic": "discovery", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1056", 104 | "tactic": "collection", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1056", 115 | "tactic": "credential-access", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1185", 126 | "tactic": "collection", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1113", 137 | "tactic": "collection", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1001", 148 | "tactic": "command-and-control", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1071", 159 | "tactic": "command-and-control", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1041", 170 | "tactic": "exfiltration", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1555", 181 | "tactic": "credential-access", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1555.003", 192 | "tactic": "credential-access", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1059", 203 | "tactic": "execution", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1566.001", 214 | "tactic": "initial-access", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1056.001", 225 | "tactic": "collection", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1056.001", 236 | "tactic": "credential-access", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | } 245 | ], 246 | "gradient": { 247 | "colors": [ 248 | "#ffffffff", 249 | "#ff6666ff" 250 | ], 251 | "minValue": 0, 252 | "maxValue": 1 253 | }, 254 | "legendItems": [], 255 | "metadata": [], 256 | "links": [], 257 | "showTacticRowBackground": false, 258 | "tacticRowBackground": "#dddddd", 259 | "selectTechniquesAcrossTactics": true, 260 | "selectSubtechniquesWithParent": false 261 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/GootLoader.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "GootLoader", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Sources:\n\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\n\nhttps://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more\n\nhttps://otx.alienvault.com/pulse/6130a356ee60a60458757c85/\n\nhttps://otx.alienvault.com/pulse/60cb0868a8196a64861c84d7", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1189", 38 | "tactic": "initial-access", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1204.001", 49 | "tactic": "execution", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1204.002", 60 | "tactic": "execution", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1059.001", 71 | "tactic": "execution", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1053", 82 | "tactic": "execution", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1053", 93 | "tactic": "persistence", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1053", 104 | "tactic": "privilege-escalation", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1218.011", 115 | "tactic": "defense-evasion", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1555", 126 | "tactic": "credential-access", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1003.001", 137 | "tactic": "credential-access", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1087", 148 | "tactic": "discovery", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1560", 159 | "tactic": "collection", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1482", 170 | "tactic": "discovery", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1615", 181 | "tactic": "discovery", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1069", 192 | "tactic": "discovery", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1018", 203 | "tactic": "discovery", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1033", 214 | "tactic": "discovery", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1021.001", 225 | "tactic": "lateral-movement", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1021.006", 236 | "tactic": "lateral-movement", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1005", 247 | "tactic": "collection", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1039", 258 | "tactic": "collection", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1046", 269 | "tactic": "discovery", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1562.001", 280 | "tactic": "defense-evasion", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1518.001", 291 | "tactic": "discovery", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1071.001", 302 | "tactic": "command-and-control", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1027", 313 | "tactic": "defense-evasion", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1547", 324 | "tactic": "persistence", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1547", 335 | "tactic": "privilege-escalation", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1055", 346 | "tactic": "defense-evasion", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1055", 357 | "tactic": "privilege-escalation", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1055.012", 368 | "tactic": "defense-evasion", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1055.012", 379 | "tactic": "privilege-escalation", 380 | "score": 1, 381 | "color": "", 382 | "comment": "", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1112", 390 | "tactic": "defense-evasion", 391 | "score": 1, 392 | "color": "", 393 | "comment": "", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1059.007", 401 | "tactic": "execution", 402 | "score": 1, 403 | "color": "", 404 | "comment": "", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1566.002", 412 | "tactic": "initial-access", 413 | "score": 1, 414 | "color": "", 415 | "comment": "", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | }, 421 | { 422 | "techniqueID": "T1001", 423 | "tactic": "command-and-control", 424 | "score": 1, 425 | "color": "", 426 | "comment": "", 427 | "enabled": true, 428 | "metadata": [], 429 | "links": [], 430 | "showSubtechniques": false 431 | }, 432 | { 433 | "techniqueID": "T1105", 434 | "tactic": "command-and-control", 435 | "score": 1, 436 | "color": "", 437 | "comment": "", 438 | "enabled": true, 439 | "metadata": [], 440 | "links": [], 441 | "showSubtechniques": false 442 | } 443 | ], 444 | "gradient": { 445 | "colors": [ 446 | "#ffffffff", 447 | "#ff6666ff" 448 | ], 449 | "minValue": 0, 450 | "maxValue": 1 451 | }, 452 | "legendItems": [], 453 | "metadata": [], 454 | "links": [], 455 | "showTacticRowBackground": false, 456 | "tacticRowBackground": "#dddddd", 457 | "selectTechniquesAcrossTactics": true, 458 | "selectSubtechniquesWithParent": false 459 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/LokiBot.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "LokiBot", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Source: https://attack.mitre.org/versions/v11/software/S0447/", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1033", 38 | "tactic": "discovery", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1564.001", 49 | "tactic": "defense-evasion", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1082", 60 | "tactic": "discovery", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1071.001", 71 | "tactic": "command-and-control", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1053", 82 | "tactic": "execution", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1053", 93 | "tactic": "persistence", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1053", 104 | "tactic": "privilege-escalation", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1053.005", 115 | "tactic": "execution", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1053.005", 126 | "tactic": "persistence", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1053.005", 137 | "tactic": "privilege-escalation", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1106", 148 | "tactic": "execution", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1140", 159 | "tactic": "defense-evasion", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1555", 170 | "tactic": "credential-access", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1555.003", 181 | "tactic": "credential-access", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1055.012", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1055.012", 203 | "tactic": "privilege-escalation", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1620", 214 | "tactic": "defense-evasion", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1112", 225 | "tactic": "defense-evasion", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1548.002", 236 | "tactic": "privilege-escalation", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1548.002", 247 | "tactic": "defense-evasion", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1016", 258 | "tactic": "discovery", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1059.003", 269 | "tactic": "execution", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1059.005", 280 | "tactic": "execution", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1059.001", 291 | "tactic": "execution", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1070.004", 302 | "tactic": "defense-evasion", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1083", 313 | "tactic": "discovery", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1497.003", 324 | "tactic": "defense-evasion", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1497.003", 335 | "tactic": "discovery", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1204.002", 346 | "tactic": "execution", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1041", 357 | "tactic": "exfiltration", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1566.001", 368 | "tactic": "initial-access", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1027", 379 | "tactic": "defense-evasion", 380 | "score": 1, 381 | "color": "", 382 | "comment": "", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1027.002", 390 | "tactic": "defense-evasion", 391 | "score": 1, 392 | "color": "", 393 | "comment": "", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1056.001", 401 | "tactic": "collection", 402 | "score": 1, 403 | "color": "", 404 | "comment": "", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1056.001", 412 | "tactic": "credential-access", 413 | "score": 1, 414 | "color": "", 415 | "comment": "", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | }, 421 | { 422 | "techniqueID": "T1105", 423 | "tactic": "command-and-control", 424 | "score": 1, 425 | "color": "", 426 | "comment": "", 427 | "enabled": true, 428 | "metadata": [], 429 | "links": [], 430 | "showSubtechniques": false 431 | } 432 | ], 433 | "gradient": { 434 | "colors": [ 435 | "#ff6666ff", 436 | "#ffe766ff", 437 | "#8ec843ff" 438 | ], 439 | "minValue": 0, 440 | "maxValue": 100 441 | }, 442 | "legendItems": [], 443 | "metadata": [], 444 | "links": [], 445 | "showTacticRowBackground": false, 446 | "tacticRowBackground": "#dddddd", 447 | "selectTechniquesAcrossTactics": true, 448 | "selectSubtechniquesWithParent": false 449 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/MOUSEISLAND.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "MOUSEISLAND", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Source: TropChaud analysis of https://www.mandiant.com/resources/melting-unc2198-icedid-to-ransomware-operations", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1137.001", 38 | "tactic": "persistence", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1071.004", 49 | "tactic": "command-and-control", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1071.001", 60 | "tactic": "command-and-control", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1204.002", 71 | "tactic": "execution", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1566.001", 82 | "tactic": "initial-access", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | } 91 | ], 92 | "gradient": { 93 | "colors": [ 94 | "#ffffffff", 95 | "#ff6666ff" 96 | ], 97 | "minValue": 0, 98 | "maxValue": 1 99 | }, 100 | "legendItems": [], 101 | "metadata": [], 102 | "links": [], 103 | "showTacticRowBackground": false, 104 | "tacticRowBackground": "#dddddd", 105 | "selectTechniquesAcrossTactics": true, 106 | "selectSubtechniquesWithParent": false 107 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/NanoCore.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "NanoCore", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Source: https://attack.mitre.org/versions/v11/software/S0336/", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1123", 38 | "tactic": "collection", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1547.001", 49 | "tactic": "persistence", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1547.001", 60 | "tactic": "privilege-escalation", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1562.001", 71 | "tactic": "defense-evasion", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1562.004", 82 | "tactic": "defense-evasion", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1112", 93 | "tactic": "defense-evasion", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1125", 104 | "tactic": "collection", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1016", 115 | "tactic": "discovery", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1059.003", 126 | "tactic": "execution", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1059.005", 137 | "tactic": "execution", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1027", 148 | "tactic": "defense-evasion", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1573.001", 159 | "tactic": "command-and-control", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1056.001", 170 | "tactic": "collection", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1056.001", 181 | "tactic": "credential-access", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1105", 192 | "tactic": "command-and-control", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | } 201 | ], 202 | "gradient": { 203 | "colors": [ 204 | "#ff6666ff", 205 | "#ffe766ff", 206 | "#8ec843ff" 207 | ], 208 | "minValue": 0, 209 | "maxValue": 100 210 | }, 211 | "legendItems": [], 212 | "metadata": [], 213 | "links": [], 214 | "showTacticRowBackground": false, 215 | "tacticRowBackground": "#dddddd", 216 | "selectTechniquesAcrossTactics": true, 217 | "selectSubtechniquesWithParent": false 218 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/Remcos.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Remcos", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Source: https://attack.mitre.org/versions/v11/software/S0332/", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1113", 38 | "tactic": "collection", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1123", 49 | "tactic": "collection", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1547.001", 60 | "tactic": "persistence", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1547.001", 71 | "tactic": "privilege-escalation", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1115", 82 | "tactic": "collection", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1055", 93 | "tactic": "defense-evasion", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1055", 104 | "tactic": "privilege-escalation", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1112", 115 | "tactic": "defense-evasion", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1548.002", 126 | "tactic": "privilege-escalation", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1548.002", 137 | "tactic": "defense-evasion", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1125", 148 | "tactic": "collection", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1090", 159 | "tactic": "command-and-control", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1059.003", 170 | "tactic": "execution", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1059.006", 181 | "tactic": "execution", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1083", 192 | "tactic": "discovery", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1497.001", 203 | "tactic": "defense-evasion", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1497.001", 214 | "tactic": "discovery", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1027", 225 | "tactic": "defense-evasion", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1056.001", 236 | "tactic": "collection", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1056.001", 247 | "tactic": "credential-access", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1105", 258 | "tactic": "command-and-control", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | } 267 | ], 268 | "gradient": { 269 | "colors": [ 270 | "#ff6666ff", 271 | "#ffe766ff", 272 | "#8ec843ff" 273 | ], 274 | "minValue": 0, 275 | "maxValue": 100 276 | }, 277 | "legendItems": [], 278 | "metadata": [], 279 | "links": [], 280 | "showTacticRowBackground": false, 281 | "tacticRowBackground": "#dddddd", 282 | "selectTechniquesAcrossTactics": true, 283 | "selectSubtechniquesWithParent": false 284 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/Ursnif.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Ursnif", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Source: https://attack.mitre.org/versions/v11/software/S0386/", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1047", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1113", 49 | "tactic": "collection", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1543.003", 60 | "tactic": "persistence", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1543.003", 71 | "tactic": "privilege-escalation", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1547.001", 82 | "tactic": "persistence", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1547.001", 93 | "tactic": "privilege-escalation", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1564.003", 104 | "tactic": "defense-evasion", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1080", 115 | "tactic": "lateral-movement", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1007", 126 | "tactic": "discovery", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1082", 137 | "tactic": "discovery", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1071.001", 148 | "tactic": "command-and-control", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1106", 159 | "tactic": "execution", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1091", 170 | "tactic": "lateral-movement", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1091", 181 | "tactic": "initial-access", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1005", 192 | "tactic": "collection", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1140", 203 | "tactic": "defense-evasion", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1036.005", 214 | "tactic": "defense-evasion", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1055.012", 225 | "tactic": "defense-evasion", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1055.012", 236 | "tactic": "privilege-escalation", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1055.005", 247 | "tactic": "defense-evasion", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1055.005", 258 | "tactic": "privilege-escalation", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1185", 269 | "tactic": "collection", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1112", 280 | "tactic": "defense-evasion", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1090", 291 | "tactic": "command-and-control", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1090.003", 302 | "tactic": "command-and-control", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1059.005", 313 | "tactic": "execution", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1059.001", 324 | "tactic": "execution", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1070.004", 335 | "tactic": "defense-evasion", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1568.002", 346 | "tactic": "command-and-control", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1074.001", 357 | "tactic": "collection", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1497.003", 368 | "tactic": "defense-evasion", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1497.003", 379 | "tactic": "discovery", 380 | "score": 1, 381 | "color": "", 382 | "comment": "", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1057", 390 | "tactic": "discovery", 391 | "score": 1, 392 | "color": "", 393 | "comment": "", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1041", 401 | "tactic": "exfiltration", 402 | "score": 1, 403 | "color": "", 404 | "comment": "", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1559.001", 412 | "tactic": "execution", 413 | "score": 1, 414 | "color": "", 415 | "comment": "", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | }, 421 | { 422 | "techniqueID": "T1027", 423 | "tactic": "defense-evasion", 424 | "score": 1, 425 | "color": "", 426 | "comment": "", 427 | "enabled": true, 428 | "metadata": [], 429 | "links": [], 430 | "showSubtechniques": false 431 | }, 432 | { 433 | "techniqueID": "T1056.004", 434 | "tactic": "collection", 435 | "score": 1, 436 | "color": "", 437 | "comment": "", 438 | "enabled": true, 439 | "metadata": [], 440 | "links": [], 441 | "showSubtechniques": false 442 | }, 443 | { 444 | "techniqueID": "T1056.004", 445 | "tactic": "credential-access", 446 | "score": 1, 447 | "color": "", 448 | "comment": "", 449 | "enabled": true, 450 | "metadata": [], 451 | "links": [], 452 | "showSubtechniques": false 453 | }, 454 | { 455 | "techniqueID": "T1012", 456 | "tactic": "discovery", 457 | "score": 1, 458 | "color": "", 459 | "comment": "", 460 | "enabled": true, 461 | "metadata": [], 462 | "links": [], 463 | "showSubtechniques": false 464 | }, 465 | { 466 | "techniqueID": "T1132", 467 | "tactic": "command-and-control", 468 | "score": 1, 469 | "color": "", 470 | "comment": "", 471 | "enabled": true, 472 | "metadata": [], 473 | "links": [], 474 | "showSubtechniques": false 475 | }, 476 | { 477 | "techniqueID": "T1105", 478 | "tactic": "command-and-control", 479 | "score": 1, 480 | "color": "", 481 | "comment": "", 482 | "enabled": true, 483 | "metadata": [], 484 | "links": [], 485 | "showSubtechniques": false 486 | } 487 | ], 488 | "gradient": { 489 | "colors": [ 490 | "#ff6666ff", 491 | "#ffe766ff", 492 | "#8ec843ff" 493 | ], 494 | "minValue": 0, 495 | "maxValue": 100 496 | }, 497 | "legendItems": [], 498 | "metadata": [], 499 | "links": [], 500 | "showTacticRowBackground": false, 501 | "tacticRowBackground": "#dddddd", 502 | "selectTechniquesAcrossTactics": true, 503 | "selectSubtechniquesWithParent": false 504 | } -------------------------------------------------------------------------------- /CISA Alert AA22-216A/d3fend_cisaBlog.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/1f4490ca6a11a26a410d8d976e332d4589403053/CISA Alert AA22-216A/d3fend_cisaBlog.xlsx -------------------------------------------------------------------------------- /Current Intelligence Reports/BumbleBee Roasts Its Way to Domain Admin – The DFIR Report.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "BumbleBee Roasts Its Way to Domain Admin \u2013 The DFIR Report", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Heatmap of (sub)techniques mentioned in \"BumbleBee Roasts Its Way to Domain Admin \u2013 The DFIR Report\".\n\nSource: https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", 10 | "techniques": [ 11 | { 12 | "techniqueID": "T1566", 13 | "score": 1 14 | }, 15 | { 16 | "techniqueID": "T1204.002", 17 | "score": 1 18 | }, 19 | { 20 | "techniqueID": "T1059.003", 21 | "score": 1 22 | }, 23 | { 24 | "techniqueID": "T1059.001", 25 | "score": 1 26 | }, 27 | { 28 | "techniqueID": "T1055", 29 | "score": 1 30 | }, 31 | { 32 | "techniqueID": "T1070.004", 33 | "score": 1 34 | }, 35 | { 36 | "techniqueID": "T1003.001", 37 | "score": 1 38 | }, 39 | { 40 | "techniqueID": "T1558.003", 41 | "score": 1 42 | }, 43 | { 44 | "techniqueID": "T1087.002", 45 | "score": 1 46 | }, 47 | { 48 | "techniqueID": "T1482", 49 | "score": 1 50 | }, 51 | { 52 | "techniqueID": "T1570", 53 | "score": 1 54 | }, 55 | { 56 | "techniqueID": "T1021.001", 57 | "score": 1 58 | }, 59 | { 60 | "techniqueID": "T1078", 61 | "score": 1 62 | }, 63 | { 64 | "techniqueID": "T1219", 65 | "score": 1 66 | }, 67 | { 68 | "techniqueID": "T1105", 69 | "score": 1 70 | }, 71 | { 72 | "techniqueID": "T1071.001", 73 | "score": 1 74 | }, 75 | { 76 | "techniqueID": "T1569", 77 | "score": 1 78 | }, 79 | { 80 | "techniqueID": "T1021.002", 81 | "score": 1 82 | }, 83 | { 84 | "techniqueID": "T1518", 85 | "score": 1 86 | }, 87 | { 88 | "techniqueID": "T1016", 89 | "score": 1 90 | }, 91 | { 92 | "techniqueID": "T1018", 93 | "score": 1 94 | }, 95 | { 96 | "techniqueID": "T1057", 97 | "score": 1 98 | }, 99 | { 100 | "techniqueID": "T1553.005", 101 | "score": 1 102 | }, 103 | { 104 | "techniqueID": "T1036", 105 | "score": 1 106 | }, 107 | { 108 | "techniqueID": "T1218.011", 109 | "score": 1 110 | }, 111 | { 112 | "techniqueID": "T1069.002", 113 | "score": 1 114 | }, 115 | { 116 | "techniqueID": "T1047", 117 | "score": 1 118 | }, 119 | { 120 | "techniqueID": "T1110.001", 121 | "score": 1 122 | } 123 | ], 124 | "layout": { 125 | "layout": "side", 126 | "aggregateFunction": "max", 127 | "showID": false, 128 | "showName": true, 129 | "showAggregateScores": true, 130 | "countUnscored": false 131 | }, 132 | "gradient": { 133 | "colors": [ 134 | "#ffffff", 135 | "#ff6666" 136 | ], 137 | "minValue": 0, 138 | "maxValue": 1 139 | } 140 | } -------------------------------------------------------------------------------- /Current Intelligence Reports/Karakurt Data Extortion Group CISA.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Karakurt Data Extortion Group | CISA", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Heatmap of (sub)techniques mentioned in \"Karakurt Data Extortion Group | CISA\".\n\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-152a", 10 | "techniques": [ 11 | { 12 | "techniqueID": "T1591.002", 13 | "score": 2 14 | }, 15 | { 16 | "techniqueID": "T1589.001", 17 | "score": 3 18 | }, 19 | { 20 | "techniqueID": "T1589.002", 21 | "score": 2 22 | }, 23 | { 24 | "techniqueID": "T1133", 25 | "score": 3 26 | }, 27 | { 28 | "techniqueID": "T1190", 29 | "score": 3 30 | }, 31 | { 32 | "techniqueID": "T1566", 33 | "score": 2 34 | }, 35 | { 36 | "techniqueID": "T1566.001", 37 | "score": 2 38 | }, 39 | { 40 | "techniqueID": "T1078", 41 | "score": 4 42 | }, 43 | { 44 | "techniqueID": "T1083", 45 | "score": 2 46 | }, 47 | { 48 | "techniqueID": "T1219", 49 | "score": 2 50 | }, 51 | { 52 | "techniqueID": "T1048", 53 | "score": 2 54 | }, 55 | { 56 | "techniqueID": "T1567.002", 57 | "score": 2 58 | } 59 | ], 60 | "layout": { 61 | "layout": "side", 62 | "aggregateFunction": "max", 63 | "showID": false, 64 | "showName": true, 65 | "showAggregateScores": true, 66 | "countUnscored": false 67 | }, 68 | "gradient": { 69 | "colors": [ 70 | "#ffffff", 71 | "#ff6666" 72 | ], 73 | "minValue": 0, 74 | "maxValue": 4 75 | } 76 | } -------------------------------------------------------------------------------- /Current Intelligence Reports/LockBit 3.0 Update Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques - SentinelOne.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques - SentinelOne", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Heatmap of (sub)techniques mentioned in \"LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques - SentinelOne\".\n\nSource: https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/", 10 | "techniques": [ 11 | { 12 | "techniqueID": "T1547.001", 13 | "score": 1 14 | }, 15 | { 16 | "techniqueID": "T1543.003", 17 | "score": 1 18 | }, 19 | { 20 | "techniqueID": "T1055", 21 | "score": 1 22 | }, 23 | { 24 | "techniqueID": "T1070.001", 25 | "score": 1 26 | }, 27 | { 28 | "techniqueID": "T1622", 29 | "score": 1 30 | }, 31 | { 32 | "techniqueID": "T1548.002", 33 | "score": 1 34 | }, 35 | { 36 | "techniqueID": "T1485", 37 | "score": 1 38 | }, 39 | { 40 | "techniqueID": "T1489", 41 | "score": 1 42 | }, 43 | { 44 | "techniqueID": "T1490", 45 | "score": 1 46 | }, 47 | { 48 | "techniqueID": "T1003.001", 49 | "score": 1 50 | }, 51 | { 52 | "techniqueID": "T1078.002", 53 | "score": 1 54 | }, 55 | { 56 | "techniqueID": "T1078.001", 57 | "score": 1 58 | }, 59 | { 60 | "techniqueID": "T1406.002", 61 | "score": 1 62 | }, 63 | { 64 | "techniqueID": "T1218.003", 65 | "score": 1 66 | }, 67 | { 68 | "techniqueID": "T1047", 69 | "score": 1 70 | }, 71 | { 72 | "techniqueID": "T1119", 73 | "score": 1 74 | } 75 | ], 76 | "layout": { 77 | "layout": "side", 78 | "aggregateFunction": "max", 79 | "showID": false, 80 | "showName": true, 81 | "showAggregateScores": true, 82 | "countUnscored": false 83 | }, 84 | "gradient": { 85 | "colors": [ 86 | "#ffffff", 87 | "#ff6666" 88 | ], 89 | "minValue": 0, 90 | "maxValue": 1 91 | } 92 | } -------------------------------------------------------------------------------- /Current Intelligence Reports/SELECT XMRig FROM SQLServer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "SELECT XMRig FROM SQLServer", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Heatmap of (sub)techniques mentioned in \"SELECT XMRig FROM SQLServer\".\n\nSource: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", 10 | "techniques": [ 11 | { 12 | "techniqueID": "T1053.005", 13 | "score": 1 14 | }, 15 | { 16 | "techniqueID": "T1136.001", 17 | "score": 1 18 | }, 19 | { 20 | "techniqueID": "T1546.003", 21 | "score": 1 22 | }, 23 | { 24 | "techniqueID": "T1564.002", 25 | "score": 1 26 | }, 27 | { 28 | "techniqueID": "T1059.003", 29 | "score": 1 30 | }, 31 | { 32 | "techniqueID": "T1027.004", 33 | "score": 1 34 | }, 35 | { 36 | "techniqueID": "T1110.001", 37 | "score": 1 38 | }, 39 | { 40 | "techniqueID": "T1070.004", 41 | "score": 1 42 | }, 43 | { 44 | "techniqueID": "T1562.001", 45 | "score": 1 46 | }, 47 | { 48 | "techniqueID": "T1546.012", 49 | "score": 1 50 | }, 51 | { 52 | "techniqueID": "T1140", 53 | "score": 1 54 | }, 55 | { 56 | "techniqueID": "T1112", 57 | "score": 1 58 | }, 59 | { 60 | "techniqueID": "T1078", 61 | "score": 1 62 | }, 63 | { 64 | "techniqueID": "T1134.001", 65 | "score": 1 66 | } 67 | ], 68 | "layout": { 69 | "layout": "side", 70 | "aggregateFunction": "max", 71 | "showID": false, 72 | "showName": true, 73 | "showAggregateScores": true, 74 | "countUnscored": false 75 | }, 76 | "gradient": { 77 | "colors": [ 78 | "#ffffff", 79 | "#ff6666" 80 | ], 81 | "minValue": 0, 82 | "maxValue": 1 83 | } 84 | } -------------------------------------------------------------------------------- /Current Intelligence Reports/current_intel_index.json: -------------------------------------------------------------------------------- 1 | [ 2 | { "title": "CISA Alert AA22-216A: 2021 Top Malware Strains - All Malware TTPs Combined (August 2022)", 3 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/CISA%20Alert%20AA22-216A/CISA_Alert_AA22-216A_-_All_Malware_Combined_sorted.json" 4 | }, 5 | { "title": "The DFIR Report BumbleBee Roasts Its Way to Domain Admin (August 2022)", 6 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Current%20Intelligence%20Reports/BumbleBee%20Roasts%20Its%20Way%20to%20Domain%20Admin%20%E2%80%93%20The%20DFIR%20Report.json" 7 | }, 8 | { "title": "LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques - SentinelOne (July 2022)", 9 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Current%20Intelligence%20Reports/LockBit%203.0%20Update%20%20Unpicking%20the%20Ransomware's%20Latest%20Anti-Analysis%20and%20Evasion%20Techniques%20-%20SentinelOne.json" 10 | }, 11 | { "title": "The DFIR Report SELECT XMRig FROM SQLServer (July 2022)", 12 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Current%20Intelligence%20Reports/SELECT%20XMRig%20FROM%20SQLServer.json" 13 | }, 14 | { "title": "CISA Alert AA22-152A: Karakurt Data Extortion Group (June 2022)", 15 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Current%20Intelligence%20Reports/Karakurt%20Data%20Extortion%20Group%20CISA.json" 16 | }, 17 | { "title": "Stealer Malware Roundup (June 2022)", 18 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Stealer%20Malware/combined.json" 19 | }, 20 | { 21 | "title": "CISA Alert AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure (April 2022)", 22 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/CISA%20Alert%20AA22-110A/combined.json" 23 | }, 24 | { 25 | "title": "Red Canary 2022 Threat Detection Report (March 2022)", 26 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Red%20Canary%202022%20Threat%20Detection%20Report/Red_Canary_2022_Threat_Detection_Report.json" 27 | }, 28 | { 29 | "title": "Recorded Future 2021 Malware and TTP Threat Landscape (March 2022)", 30 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Recorded_Future_2021_Malware_and_TTP_Threat_Landscape/Recorded_Future_2021_Malware_and_TTP_Threat_Landscape.json" 31 | }, 32 | { 33 | "title": "2022 Russia-Ukraine War: Cyber Risk (ATT&CK TTPs) (March 2022)", 34 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Russia-TTP-Mappings/combined-sorted.json" 35 | }, 36 | { 37 | "title": "Recorded Future 5 Common Ransomware ATT&CK Techniques (December 2021)", 38 | "url": "https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Recorded_Future_5_Common_Ransomware_ATT%26CK_Techniques/Recorded_Future_5_Common_Ransomware_ATT%26CK_Techniques.json" 39 | } 40 | ] 41 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 IntelScott 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cyber Adversary Heatmaps 2 | Intelligence around common attacker behaviors (MITRE ATT&CK TTPs), in the form of ATT&CK Navigator "layer" json files. 3 | 4 | Paste .json file contents into the "Threat Intelligence" dropdown on the **[Threat Alignment page](https://controlcompass.github.io/risk)** of the open-source [Control Validation Compass](https://controlcompass.github.io/) project, to instantly surface technical & policy controls and offensive security tests aligned with these techniques. 5 | 6 | The following heatmap sets are currently available: 7 | 8 | * June 2022: [Stealer Malware Roundup](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/tree/main/Stealer%20Malware) 9 | * April 2022: [CISA Alert AA22-110A](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/tree/main/CISA%20Alert%20AA22-110A) 10 | * March 2022: [Red Canary 2022 Threat Detection Report](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/tree/main/Red%20Canary%202022%20Threat%20Detection%20Report) 11 | * March 2022: [Recorded Future 2021 Malware and TTP Threat Landscape](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/blob/main/Recorded_Future_2021_Malware_and_TTP_Threat_Landscape/Recorded_Future_2021_Malware_and_TTP_Threat_Landscape.json) 12 | * March 2022: [Russia TTP Mappings](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/tree/main/Russia-TTP-Mappings) 13 | * December 2021: [Recorded Future 5 Common Ransomware ATT&CK Techniques](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/blob/main/Recorded_Future_5_Common_Ransomware_ATT%26CK_Techniques/Recorded_Future_5_Common_Ransomware_ATT%26CK_Techniques.json) 14 | 15 | Want to learn more about using [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/) to visualize TTP intelligence? See the MITRE ATT&CK CTI Training [here](https://attack.mitre.org/resources/training/cti/), and ATT&CK Navigator documentation [here](https://github.com/mitre-attack/attack-navigator/blob/master/USAGE.md). 16 | 17 | Unless otherwise noted, heatmaps will use the following base ATT&CK Navigator settings: 18 | 19 | { 20 | "name": "base", 21 | "versions": { 22 | "attack": "11", 23 | "navigator": "4.6.1", 24 | "layer": "4.3" 25 | }, 26 | "domain": "enterprise-attack", 27 | "description": "", 28 | "filters": { 29 | "platforms": [ 30 | "Linux", 31 | "macOS", 32 | "Windows", 33 | "PRE", 34 | "Containers", 35 | "Network", 36 | "Office 365", 37 | "SaaS", 38 | "Google Workspace", 39 | "IaaS", 40 | "Azure AD" 41 | ] 42 | }, 43 | "sorting": 0, 44 | "layout": { 45 | "layout": "side", 46 | "aggregateFunction": "max", 47 | "showID": false, 48 | "showName": true, 49 | "showAggregateScores": true, 50 | "countUnscored": false 51 | }, 52 | "hideDisabled": false, 53 | "techniques": [], 54 | "gradient": { 55 | "colors": [ 56 | "#ffffff", 57 | "#ff6666" 58 | ], 59 | "minValue": 0, 60 | "maxValue": 1 61 | }, 62 | "legendItems": [], 63 | "metadata": [], 64 | "links": [], 65 | "showTacticRowBackground": false, 66 | "tacticRowBackground": "#dddddd", 67 | "selectTechniquesAcrossTactics": true, 68 | "selectSubtechniquesWithParent": false 69 | } 70 | 71 | MITRE ATT&CK® is a registered trademark of The MITRE Corporation 72 | -------------------------------------------------------------------------------- /Recorded_Future_2021_Malware_and_TTP_Threat_Landscape/README.md: -------------------------------------------------------------------------------- 1 | # 2021 Malware and TTP Threat Landscape 2 | Heatmap for the top 5 trending MITRE ATT&CK techniques in 2021 and top initial access techniques, from Recorded Future's [2021 Malware and TTP Threat Landscape](https://go.recordedfuture.com/hubfs/reports/cta-2022-0315.pdf) 3 | 4 | Paste .json file contents into the "Threat Intelligence" dropdown on the **[Threat Alignment page](https://controlcompass.github.io/risk)** of the open-source [Control Validation Compass](https://controlcompass.github.io/) project, to instantly surface technical & policy controls and offensive security tests aligned with these techniques. 5 | -------------------------------------------------------------------------------- /Recorded_Future_2021_Malware_and_TTP_Threat_Landscape/Recorded_Future_2021_Malware_and_TTP_Threat_Landscape.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Recorded Future 2021 Malware and TTP Threat Landscape", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://go.recordedfuture.com/hubfs/reports/cta-2022-0315.pdf\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud April 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1486", 38 | "tactic": "impact", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1082", 49 | "tactic": "discovery", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1055", 60 | "tactic": "defense-evasion", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1055", 71 | "tactic": "privilege-escalation", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1027", 82 | "tactic": "defense-evasion", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1005", 93 | "tactic": "collection", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1190", 104 | "tactic": "initial-access", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | } 113 | ], 114 | "gradient": { 115 | "colors": [ 116 | "#ffffffff", 117 | "#ff6666ff" 118 | ], 119 | "minValue": 0, 120 | "maxValue": 1 121 | }, 122 | "legendItems": [], 123 | "metadata": [], 124 | "links": [], 125 | "showTacticRowBackground": false, 126 | "tacticRowBackground": "#dddddd", 127 | "selectTechniquesAcrossTactics": true, 128 | "selectSubtechniquesWithParent": false 129 | } 130 | -------------------------------------------------------------------------------- /Recorded_Future_5_Common_Ransomware_ATT&CK_Techniques/README.md: -------------------------------------------------------------------------------- 1 | # 5 Common Ransomware ATT&CK Techniques 2 | Heatmap for 5 select common ATT&CK techniques used by ransomware operators, from Recorded Future's [December 2021 report](https://go.recordedfuture.com/hubfs/reports/cta-2021-1216.pdf) 3 | 4 | Paste .json file contents into the "Threat Intelligence" dropdown on the **[Threat Alignment page](https://controlcompass.github.io/risk)** of the open-source [Control Validation Compass](https://controlcompass.github.io/) project, to instantly surface technical & policy controls and offensive security tests aligned with these techniques. 5 | -------------------------------------------------------------------------------- /Recorded_Future_5_Common_Ransomware_ATT&CK_Techniques/Recorded_Future_5_Common_Ransomware_ATT&CK_Techniques.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "5 Common Ransomware ATT&CK Techniques", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://go.recordedfuture.com/hubfs/reports/cta-2021-1216.pdf\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud April 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1562.001", 38 | "tactic": "defense-evasion", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1562.004", 49 | "tactic": "defense-evasion", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1542", 60 | "tactic": "defense-evasion", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1542", 71 | "tactic": "persistence", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1105", 82 | "tactic": "command-and-control", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1484.001", 93 | "tactic": "defense-evasion", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1484.001", 104 | "tactic": "privilege-escalation", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | } 113 | ], 114 | "gradient": { 115 | "colors": [ 116 | "#ffffffff", 117 | "#ff6666ff" 118 | ], 119 | "minValue": 0, 120 | "maxValue": 1 121 | }, 122 | "legendItems": [], 123 | "metadata": [], 124 | "links": [], 125 | "showTacticRowBackground": false, 126 | "tacticRowBackground": "#dddddd", 127 | "selectTechniquesAcrossTactics": true, 128 | "selectSubtechniquesWithParent": false 129 | } 130 | -------------------------------------------------------------------------------- /Red Canary 2022 Threat Detection Report/README.md: -------------------------------------------------------------------------------- 1 | # Red Canary 2022 Threat Detection Report 2 | Heatmap for the [top techniques](https://redcanary.com/threat-detection-report/techniques/) in Red Canary's annual [Threat Detection Report](https://redcanary.com/threat-detection-report/), released in March 2022 3 | 4 | Paste .json file contents into the "Threat Intelligence" dropdown on the **[Threat Alignment page](https://controlcompass.github.io/risk)** of the open-source [Control Validation Compass](https://controlcompass.github.io/) project, to instantly surface technical & policy controls and offensive security tests aligned with these techniques. 5 | -------------------------------------------------------------------------------- /Red Canary 2022 Threat Detection Report/Red_Canary_2022_Threat_Detection_Report.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Red Canary 2022 Threat Detection Report", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://redcanary.com/threat-detection-report/techniques/\n\nhttps://redcanary.com/threat-detection-report/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests for these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud April 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1059.001", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1059.003", 49 | "tactic": "execution", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1218.011", 60 | "tactic": "defense-evasion", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1047", 71 | "tactic": "execution", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1003.001", 82 | "tactic": "credential-access", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1105", 93 | "tactic": "command-and-control", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1055", 104 | "tactic": "defense-evasion", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1055", 115 | "tactic": "privilege-escalation", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1053.005", 126 | "tactic": "execution", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1053.005", 137 | "tactic": "persistence", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1053.005", 148 | "tactic": "privilege-escalation", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1027", 159 | "tactic": "defense-evasion", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1036.003", 170 | "tactic": "defense-evasion", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1036.005", 181 | "tactic": "defense-evasion", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1574.001", 192 | "tactic": "persistence", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1574.001", 203 | "tactic": "privilege-escalation", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1574.001", 214 | "tactic": "defense-evasion", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | } 223 | ], 224 | "gradient": { 225 | "colors": [ 226 | "#ffffffff", 227 | "#ff6666ff" 228 | ], 229 | "minValue": 0, 230 | "maxValue": 1 231 | }, 232 | "legendItems": [], 233 | "metadata": [], 234 | "links": [], 235 | "showTacticRowBackground": false, 236 | "tacticRowBackground": "#dddddd", 237 | "selectTechniquesAcrossTactics": true, 238 | "selectSubtechniquesWithParent": false 239 | } 240 | -------------------------------------------------------------------------------- /Russia-TTP-Mappings/README.md: -------------------------------------------------------------------------------- 1 | # Russia-Ukraine Cyber Risk (ATT&CK TTPs) 2 | ATT&CK Navigator layers for key Russia-aligned adversaries during the 2022 Ukraine crisis 3 | 4 | Individual JSON layers are contained in the actor-group and malware folders. Snapshot of combined view: 5 | ![russia-ukraineTTPs](https://raw.githubusercontent.com/tropChaud/Russia-TTP-Mappings/main/russia-ukraineTTPs.png) 6 | -------------------------------------------------------------------------------- /Russia-TTP-Mappings/actor-groups/DEV-0586 : WhisperGate.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "DEV-0586 / WhisperGate", 3 | "versions": { 4 | "attack": "10", 5 | "navigator": "4.5.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "DEV-0586 TTPs used during the WhisperGate campaign, sourced from Picus Security reporting: https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "Azure AD", 16 | "Office 365", 17 | "SaaS", 18 | "IaaS", 19 | "Google Workspace", 20 | "PRE", 21 | "Network", 22 | "Containers" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "sum", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1059.001", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1059.003", 49 | "tactic": "execution", 50 | "score": 1, 51 | "color": "", 52 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1561", 60 | "tactic": "impact", 61 | "score": 1, 62 | "color": "", 63 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1083", 71 | "tactic": "discovery", 72 | "score": 1, 73 | "color": "", 74 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1105", 82 | "tactic": "command-and-control", 83 | "score": 1, 84 | "color": "", 85 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1027", 93 | "tactic": "defense-evasion", 94 | "score": 1, 95 | "color": "", 96 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": true 101 | }, 102 | { 103 | "techniqueID": "T1542", 104 | "tactic": "defense-evasion", 105 | "color": "", 106 | "comment": "", 107 | "enabled": true, 108 | "metadata": [], 109 | "links": [], 110 | "showSubtechniques": true 111 | }, 112 | { 113 | "techniqueID": "T1542.003", 114 | "tactic": "persistence", 115 | "score": 1, 116 | "color": "", 117 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 118 | "enabled": true, 119 | "metadata": [], 120 | "links": [], 121 | "showSubtechniques": false 122 | }, 123 | { 124 | "techniqueID": "T1542.003", 125 | "tactic": "defense-evasion", 126 | "score": 1, 127 | "color": "", 128 | "comment": "Source: Picus Security - https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine", 129 | "enabled": true, 130 | "metadata": [], 131 | "links": [], 132 | "showSubtechniques": false 133 | } 134 | ], 135 | "gradient": { 136 | "colors": [ 137 | "#599bceff", 138 | "#004a80ff" 139 | ], 140 | "minValue": 0, 141 | "maxValue": 2 142 | }, 143 | "legendItems": [], 144 | "metadata": [], 145 | "links": [], 146 | "showTacticRowBackground": false, 147 | "tacticRowBackground": "#dddddd", 148 | "selectTechniquesAcrossTactics": true, 149 | "selectSubtechniquesWithParent": false 150 | } -------------------------------------------------------------------------------- /Russia-TTP-Mappings/actor-groups/Gamaredon Group.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Gamaredon Group", 3 | "versions": { 4 | "attack": "10", 5 | "navigator": "4.5.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Gamaredon Group TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "Azure AD", 16 | "Office 365", 17 | "SaaS", 18 | "IaaS", 19 | "Google Workspace", 20 | "PRE", 21 | "Network", 22 | "Containers" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "sum", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1071.001", 38 | "tactic": "command-and-control", 39 | "score": 1, 40 | "color": "", 41 | "comment": "Source: ATT&CK Navigator", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1119", 49 | "tactic": "collection", 50 | "score": 1, 51 | "color": "", 52 | "comment": "Source: ATT&CK Navigator", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1020", 60 | "tactic": "exfiltration", 61 | "score": 1, 62 | "color": "", 63 | "comment": "Source: ATT&CK Navigator", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1547.001", 71 | "tactic": "persistence", 72 | "score": 1, 73 | "color": "", 74 | "comment": "Source: ATT&CK Navigator", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1547.001", 82 | "tactic": "privilege-escalation", 83 | "score": 1, 84 | "color": "", 85 | "comment": "Source: ATT&CK Navigator", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1059.003", 93 | "tactic": "execution", 94 | "score": 1, 95 | "color": "", 96 | "comment": "Source: ATT&CK Navigator", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1059.005", 104 | "tactic": "execution", 105 | "score": 1, 106 | "color": "", 107 | "comment": "Source: ATT&CK Navigator", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1005", 115 | "tactic": "collection", 116 | "score": 1, 117 | "color": "", 118 | "comment": "Source: ATT&CK Navigator", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1039", 126 | "tactic": "collection", 127 | "score": 1, 128 | "color": "", 129 | "comment": "Source: ATT&CK Navigator", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1025", 137 | "tactic": "collection", 138 | "score": 1, 139 | "color": "", 140 | "comment": "Source: ATT&CK Navigator", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1140", 148 | "tactic": "defense-evasion", 149 | "score": 1, 150 | "color": "", 151 | "comment": "Source: ATT&CK Navigator", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1041", 159 | "tactic": "exfiltration", 160 | "score": 1, 161 | "color": "", 162 | "comment": "Source: ATT&CK Navigator", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1083", 170 | "tactic": "discovery", 171 | "score": 1, 172 | "color": "", 173 | "comment": "Source: ATT&CK Navigator", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1562.001", 181 | "tactic": "defense-evasion", 182 | "score": 1, 183 | "color": "", 184 | "comment": "Source: ATT&CK Navigator", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1070.004", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "Source: ATT&CK Navigator", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1105", 203 | "tactic": "command-and-control", 204 | "score": 1, 205 | "color": "", 206 | "comment": "Source: ATT&CK Navigator", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1559.001", 214 | "tactic": "execution", 215 | "score": 1, 216 | "color": "", 217 | "comment": "Source: ATT&CK Navigator", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1534", 225 | "tactic": "lateral-movement", 226 | "score": 1, 227 | "color": "", 228 | "comment": "Source: ATT&CK Navigator", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1112", 236 | "tactic": "defense-evasion", 237 | "score": 1, 238 | "color": "", 239 | "comment": "Source: ATT&CK Navigator", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1106", 247 | "tactic": "execution", 248 | "score": 1, 249 | "color": "", 250 | "comment": "Source: ATT&CK Navigator", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1027", 258 | "tactic": "defense-evasion", 259 | "score": 1, 260 | "color": "", 261 | "comment": "Source: ATT&CK Navigator", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1027.001", 269 | "tactic": "defense-evasion", 270 | "score": 1, 271 | "color": "", 272 | "comment": "Source: ATT&CK Navigator", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1027.004", 280 | "tactic": "defense-evasion", 281 | "score": 1, 282 | "color": "", 283 | "comment": "Source: ATT&CK Navigator", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1137", 291 | "tactic": "persistence", 292 | "score": 1, 293 | "color": "", 294 | "comment": "Source: ATT&CK Navigator", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1120", 302 | "tactic": "discovery", 303 | "score": 1, 304 | "color": "", 305 | "comment": "Source: ATT&CK Navigator", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1566.001", 313 | "tactic": "initial-access", 314 | "score": 1, 315 | "color": "", 316 | "comment": "Source: ATT&CK Navigator", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1053.005", 324 | "tactic": "execution", 325 | "score": 1, 326 | "color": "", 327 | "comment": "Source: ATT&CK Navigator", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1053.005", 335 | "tactic": "persistence", 336 | "score": 1, 337 | "color": "", 338 | "comment": "Source: ATT&CK Navigator", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1053.005", 346 | "tactic": "privilege-escalation", 347 | "score": 1, 348 | "color": "", 349 | "comment": "Source: ATT&CK Navigator", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1113", 357 | "tactic": "collection", 358 | "score": 1, 359 | "color": "", 360 | "comment": "Source: ATT&CK Navigator", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1218.011", 368 | "tactic": "defense-evasion", 369 | "score": 1, 370 | "color": "", 371 | "comment": "Source: ATT&CK Navigator", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1082", 379 | "tactic": "discovery", 380 | "score": 1, 381 | "color": "", 382 | "comment": "Source: ATT&CK Navigator", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1033", 390 | "tactic": "discovery", 391 | "score": 1, 392 | "color": "", 393 | "comment": "Source: ATT&CK Navigator", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1080", 401 | "tactic": "lateral-movement", 402 | "score": 1, 403 | "color": "", 404 | "comment": "Source: ATT&CK Navigator", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1221", 412 | "tactic": "defense-evasion", 413 | "score": 1, 414 | "color": "", 415 | "comment": "Source: ATT&CK Navigator", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | }, 421 | { 422 | "techniqueID": "T1204.002", 423 | "tactic": "execution", 424 | "score": 1, 425 | "color": "", 426 | "comment": "Source: ATT&CK Navigator", 427 | "enabled": true, 428 | "metadata": [], 429 | "links": [], 430 | "showSubtechniques": false 431 | }, 432 | { 433 | "techniqueID": "T1102", 434 | "tactic": "command-and-control", 435 | "score": 1, 436 | "color": "", 437 | "comment": "Source: ATT&CK Navigator", 438 | "enabled": true, 439 | "metadata": [], 440 | "links": [], 441 | "showSubtechniques": false 442 | } 443 | ], 444 | "gradient": { 445 | "colors": [ 446 | "#599bceff", 447 | "#004a80ff" 448 | ], 449 | "minValue": 0, 450 | "maxValue": 2 451 | }, 452 | "legendItems": [], 453 | "metadata": [], 454 | "links": [], 455 | "showTacticRowBackground": false, 456 | "tacticRowBackground": "#dddddd", 457 | "selectTechniquesAcrossTactics": true, 458 | "selectSubtechniquesWithParent": false 459 | } -------------------------------------------------------------------------------- /Russia-TTP-Mappings/malware/Conti.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Conti", 3 | "versions": { 4 | "attack": "10", 5 | "navigator": "4.5.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Conti ransomware TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "Azure AD", 16 | "Office 365", 17 | "SaaS", 18 | "IaaS", 19 | "Google Workspace", 20 | "PRE", 21 | "Network", 22 | "Containers" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "sum", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1059.003", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "Source: ATT&CK Navigator", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1486", 49 | "tactic": "impact", 50 | "score": 1, 51 | "color": "", 52 | "comment": "Source: ATT&CK Navigator", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1140", 60 | "tactic": "defense-evasion", 61 | "score": 1, 62 | "color": "", 63 | "comment": "Source: ATT&CK Navigator", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1083", 71 | "tactic": "discovery", 72 | "score": 1, 73 | "color": "", 74 | "comment": "Source: ATT&CK Navigator", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1490", 82 | "tactic": "impact", 83 | "score": 1, 84 | "color": "", 85 | "comment": "Source: ATT&CK Navigator", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1106", 93 | "tactic": "execution", 94 | "score": 1, 95 | "color": "", 96 | "comment": "Source: ATT&CK Navigator", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1135", 104 | "tactic": "discovery", 105 | "score": 1, 106 | "color": "", 107 | "comment": "Source: ATT&CK Navigator", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1027", 115 | "tactic": "defense-evasion", 116 | "score": 1, 117 | "color": "", 118 | "comment": "Source: ATT&CK Navigator", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1057", 126 | "tactic": "discovery", 127 | "score": 1, 128 | "color": "", 129 | "comment": "Source: ATT&CK Navigator", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1055.001", 137 | "tactic": "defense-evasion", 138 | "score": 1, 139 | "color": "", 140 | "comment": "Source: ATT&CK Navigator", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1055.001", 148 | "tactic": "privilege-escalation", 149 | "score": 1, 150 | "color": "", 151 | "comment": "Source: ATT&CK Navigator", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1021.002", 159 | "tactic": "lateral-movement", 160 | "score": 1, 161 | "color": "", 162 | "comment": "Source: ATT&CK Navigator", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1018", 170 | "tactic": "discovery", 171 | "score": 1, 172 | "color": "", 173 | "comment": "Source: ATT&CK Navigator", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1489", 181 | "tactic": "impact", 182 | "score": 1, 183 | "color": "", 184 | "comment": "Source: ATT&CK Navigator", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1016", 192 | "tactic": "discovery", 193 | "score": 1, 194 | "color": "", 195 | "comment": "Source: ATT&CK Navigator", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1049", 203 | "tactic": "discovery", 204 | "score": 1, 205 | "color": "", 206 | "comment": "Source: ATT&CK Navigator", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1080", 214 | "tactic": "lateral-movement", 215 | "score": 1, 216 | "color": "", 217 | "comment": "Source: ATT&CK Navigator", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | } 223 | ], 224 | "gradient": { 225 | "colors": [ 226 | "#599bceff", 227 | "#004a80ff" 228 | ], 229 | "minValue": 0, 230 | "maxValue": 2 231 | }, 232 | "legendItems": [], 233 | "metadata": [], 234 | "links": [], 235 | "showTacticRowBackground": false, 236 | "tacticRowBackground": "#dddddd", 237 | "selectTechniquesAcrossTactics": true, 238 | "selectSubtechniquesWithParent": false 239 | } 240 | -------------------------------------------------------------------------------- /Russia-TTP-Mappings/malware/Cyclops Blink.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Cyclops Blink", 3 | "versions": { 4 | "attack": "10", 5 | "navigator": "4.5.5", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Cyclops Blink TTPs sourced from UK NCSC / CISA joint advisory: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "Azure AD", 16 | "Office 365", 17 | "SaaS", 18 | "IaaS", 19 | "Google Workspace", 20 | "PRE", 21 | "Network", 22 | "Containers" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "sum", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1071.001", 38 | "tactic": "command-and-control", 39 | "score": 1, 40 | "color": "", 41 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1037.004", 49 | "tactic": "persistence", 50 | "score": 1, 51 | "color": "", 52 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1037.004", 60 | "tactic": "privilege-escalation", 61 | "score": 1, 62 | "color": "", 63 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1059.004", 71 | "tactic": "execution", 72 | "score": 1, 73 | "color": "", 74 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1132.002", 82 | "tactic": "command-and-control", 83 | "score": 1, 84 | "color": "", 85 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1573.002", 93 | "tactic": "command-and-control", 94 | "score": 1, 95 | "color": "", 96 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1041", 104 | "tactic": "exfiltration", 105 | "score": 1, 106 | "color": "", 107 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1008", 115 | "tactic": "command-and-control", 116 | "score": 1, 117 | "color": "", 118 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1562.004", 126 | "tactic": "defense-evasion", 127 | "score": 1, 128 | "color": "", 129 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1036.005", 137 | "tactic": "defense-evasion", 138 | "score": 1, 139 | "color": "", 140 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1571", 148 | "tactic": "command-and-control", 149 | "score": 1, 150 | "color": "", 151 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1542.001", 159 | "tactic": "persistence", 160 | "score": 1, 161 | "color": "", 162 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1542.001", 170 | "tactic": "defense-evasion", 171 | "score": 1, 172 | "color": "", 173 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1082", 181 | "tactic": "discovery", 182 | "score": 1, 183 | "color": "", 184 | "comment": "Source: NCSC - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | } 190 | ], 191 | "gradient": { 192 | "colors": [ 193 | "#599bceff", 194 | "#004a80ff" 195 | ], 196 | "minValue": 0, 197 | "maxValue": 2 198 | }, 199 | "legendItems": [], 200 | "metadata": [], 201 | "links": [], 202 | "showTacticRowBackground": false, 203 | "tacticRowBackground": "#dddddd", 204 | "selectTechniquesAcrossTactics": true, 205 | "selectSubtechniquesWithParent": false 206 | } -------------------------------------------------------------------------------- /Russia-TTP-Mappings/russia-ukraineTTPs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/1f4490ca6a11a26a410d8d976e332d4589403053/Russia-TTP-Mappings/russia-ukraineTTPs.png -------------------------------------------------------------------------------- /Stealer Malware/Astaroth.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Astaroth", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.4", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Astaroth TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)\n\nhttps://attack.mitre.org/software/S0373/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1047", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1129", 49 | "tactic": "execution", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1547.009", 60 | "tactic": "persistence", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1547.009", 71 | "tactic": "privilege-escalation", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1547.001", 82 | "tactic": "persistence", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1547.001", 93 | "tactic": "privilege-escalation", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1564.003", 104 | "tactic": "defense-evasion", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1564.004", 115 | "tactic": "defense-evasion", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1115", 126 | "tactic": "collection", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1082", 137 | "tactic": "discovery", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1140", 148 | "tactic": "defense-evasion", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1555", 159 | "tactic": "credential-access", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1552", 170 | "tactic": "credential-access", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1055.012", 181 | "tactic": "defense-evasion", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1055.012", 192 | "tactic": "privilege-escalation", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1218.001", 203 | "tactic": "defense-evasion", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1218.010", 214 | "tactic": "defense-evasion", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1016", 225 | "tactic": "discovery", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1059.003", 236 | "tactic": "execution", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1059.005", 247 | "tactic": "execution", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1059.007", 258 | "tactic": "execution", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1568.002", 269 | "tactic": "command-and-control", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1074.001", 280 | "tactic": "collection", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1497.001", 291 | "tactic": "defense-evasion", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1497.001", 302 | "tactic": "discovery", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1102.001", 313 | "tactic": "command-and-control", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1204.002", 324 | "tactic": "execution", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1057", 335 | "tactic": "discovery", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1041", 346 | "tactic": "exfiltration", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1574.001", 357 | "tactic": "persistence", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1574.001", 368 | "tactic": "privilege-escalation", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1574.001", 379 | "tactic": "defense-evasion", 380 | "score": 1, 381 | "color": "", 382 | "comment": "", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1027", 390 | "tactic": "defense-evasion", 391 | "score": 1, 392 | "color": "", 393 | "comment": "", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1027.002", 401 | "tactic": "defense-evasion", 402 | "score": 1, 403 | "color": "", 404 | "comment": "", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1056.001", 412 | "tactic": "collection", 413 | "score": 1, 414 | "color": "", 415 | "comment": "", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | }, 421 | { 422 | "techniqueID": "T1056.001", 423 | "tactic": "credential-access", 424 | "score": 1, 425 | "color": "", 426 | "comment": "", 427 | "enabled": true, 428 | "metadata": [], 429 | "links": [], 430 | "showSubtechniques": false 431 | }, 432 | { 433 | "techniqueID": "T1132.001", 434 | "tactic": "command-and-control", 435 | "score": 1, 436 | "color": "", 437 | "comment": "", 438 | "enabled": true, 439 | "metadata": [], 440 | "links": [], 441 | "showSubtechniques": false 442 | }, 443 | { 444 | "techniqueID": "T1598.002", 445 | "tactic": "reconnaissance", 446 | "score": 1, 447 | "color": "", 448 | "comment": "", 449 | "enabled": true, 450 | "metadata": [], 451 | "links": [], 452 | "showSubtechniques": false 453 | }, 454 | { 455 | "techniqueID": "T1518.001", 456 | "tactic": "discovery", 457 | "score": 1, 458 | "color": "", 459 | "comment": "", 460 | "enabled": true, 461 | "metadata": [], 462 | "links": [], 463 | "showSubtechniques": false 464 | }, 465 | { 466 | "techniqueID": "T1105", 467 | "tactic": "command-and-control", 468 | "score": 1, 469 | "color": "", 470 | "comment": "", 471 | "enabled": true, 472 | "metadata": [], 473 | "links": [], 474 | "showSubtechniques": false 475 | }, 476 | { 477 | "techniqueID": "T1220", 478 | "tactic": "defense-evasion", 479 | "score": 1, 480 | "color": "", 481 | "comment": "", 482 | "enabled": true, 483 | "metadata": [], 484 | "links": [], 485 | "showSubtechniques": false 486 | }, 487 | { 488 | "techniqueID": "T1124", 489 | "tactic": "discovery", 490 | "score": 1, 491 | "color": "", 492 | "comment": "", 493 | "enabled": true, 494 | "metadata": [], 495 | "links": [], 496 | "showSubtechniques": false 497 | } 498 | ], 499 | "gradient": { 500 | "colors": [ 501 | "#ff6666ff", 502 | "#ffe766ff", 503 | "#8ec843ff" 504 | ], 505 | "minValue": 0, 506 | "maxValue": 100 507 | }, 508 | "legendItems": [], 509 | "metadata": [], 510 | "links": [], 511 | "showTacticRowBackground": false, 512 | "tacticRowBackground": "#dddddd", 513 | "selectTechniquesAcrossTactics": true, 514 | "selectSubtechniquesWithParent": false 515 | } -------------------------------------------------------------------------------- /Stealer Malware/Chaes.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Chaes", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.4", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Chaes TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)\n\nhttps://attack.mitre.org/software/S0631/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1113", 38 | "tactic": "collection", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1033", 49 | "tactic": "discovery", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1539", 60 | "tactic": "credential-access", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1547.001", 71 | "tactic": "persistence", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1547.001", 82 | "tactic": "privilege-escalation", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1082", 93 | "tactic": "discovery", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1071.001", 104 | "tactic": "command-and-control", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1106", 115 | "tactic": "execution", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1140", 126 | "tactic": "defense-evasion", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1555.003", 137 | "tactic": "credential-access", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1036.005", 148 | "tactic": "defense-evasion", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1218.004", 159 | "tactic": "defense-evasion", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1218.007", 170 | "tactic": "defense-evasion", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1185", 181 | "tactic": "collection", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1112", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1059.003", 203 | "tactic": "execution", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1059.005", 214 | "tactic": "execution", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1059.006", 225 | "tactic": "execution", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1059.007", 236 | "tactic": "execution", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1204.002", 247 | "tactic": "execution", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1048", 258 | "tactic": "exfiltration", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1566.001", 269 | "tactic": "initial-access", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1574.001", 280 | "tactic": "persistence", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1574.001", 291 | "tactic": "privilege-escalation", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1574.001", 302 | "tactic": "defense-evasion", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1573", 313 | "tactic": "command-and-control", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1056", 324 | "tactic": "collection", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1056", 335 | "tactic": "credential-access", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1132.001", 346 | "tactic": "command-and-control", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1221", 357 | "tactic": "defense-evasion", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1105", 368 | "tactic": "command-and-control", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | } 377 | ], 378 | "gradient": { 379 | "colors": [ 380 | "#ff6666ff", 381 | "#ffe766ff", 382 | "#8ec843ff" 383 | ], 384 | "minValue": 0, 385 | "maxValue": 100 386 | }, 387 | "legendItems": [], 388 | "metadata": [], 389 | "links": [], 390 | "showTacticRowBackground": false, 391 | "tacticRowBackground": "#dddddd", 392 | "selectTechniquesAcrossTactics": true, 393 | "selectSubtechniquesWithParent": false 394 | } -------------------------------------------------------------------------------- /Stealer Malware/Jester Stealer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Jester Stealer", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "https://www.joesandbox.com/analysis/554011/0/html\n\nhttps://bazaar.abuse.ch/sample/cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "techniques": [ 11 | { 12 | "techniqueID": "T1003", 13 | "score": 1 14 | }, 15 | { 16 | "techniqueID": "T1005", 17 | "score": 1 18 | }, 19 | { 20 | "techniqueID": "T1016", 21 | "score": 1 22 | }, 23 | { 24 | "techniqueID": "T1018", 25 | "score": 1 26 | }, 27 | { 28 | "techniqueID": "T1027", 29 | "score": 1 30 | }, 31 | { 32 | "techniqueID": "T1036", 33 | "score": 1 34 | }, 35 | { 36 | "techniqueID": "T1047", 37 | "score": 1 38 | }, 39 | { 40 | "techniqueID": "T1055", 41 | "score": 1 42 | }, 43 | { 44 | "techniqueID": "T1057", 45 | "score": 1 46 | }, 47 | { 48 | "techniqueID": "T1059", 49 | "score": 1 50 | }, 51 | { 52 | "techniqueID": "T1070.004", 53 | "score": 1 54 | }, 55 | { 56 | "techniqueID": "T1070.006", 57 | "score": 1 58 | }, 59 | { 60 | "techniqueID": "T1082", 61 | "score": 1 62 | }, 63 | { 64 | "techniqueID": "T1083", 65 | "score": 1 66 | }, 67 | { 68 | "techniqueID": "T1090", 69 | "score": 1 70 | }, 71 | { 72 | "techniqueID": "T1095", 73 | "score": 1 74 | }, 75 | { 76 | "techniqueID": "T1105", 77 | "score": 1 78 | }, 79 | { 80 | "techniqueID": "T1114", 81 | "score": 1 82 | }, 83 | { 84 | "techniqueID": "T1140", 85 | "score": 1 86 | }, 87 | { 88 | "techniqueID": "T1497", 89 | "score": 1 90 | }, 91 | { 92 | "techniqueID": "T1518.001", 93 | "score": 1 94 | }, 95 | { 96 | "techniqueID": "T1552.002", 97 | "score": 1 98 | }, 99 | { 100 | "techniqueID": "T1560", 101 | "score": 1 102 | }, 103 | { 104 | "techniqueID": "T1562.001", 105 | "score": 1 106 | }, 107 | { 108 | "techniqueID": "T1571", 109 | "score": 1 110 | }, 111 | { 112 | "techniqueID": "T1573", 113 | "score": 1 114 | } 115 | ], 116 | "layout": { 117 | "layout": "side", 118 | "aggregateFunction": "max", 119 | "showID": false, 120 | "showName": true, 121 | "showAggregateScores": true, 122 | "countUnscored": false 123 | }, 124 | "gradient": { 125 | "colors": [ 126 | "#ffffff", 127 | "#ff6666" 128 | ], 129 | "minValue": 0, 130 | "maxValue": 1 131 | } 132 | } 133 | -------------------------------------------------------------------------------- /Stealer Malware/Lokibot.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Lokibot", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.4", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Lokibot TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)\n\nhttps://attack.mitre.org/software/S0447/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1033", 38 | "tactic": "discovery", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1564.001", 49 | "tactic": "defense-evasion", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1082", 60 | "tactic": "discovery", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1071.001", 71 | "tactic": "command-and-control", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1053", 82 | "tactic": "execution", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1053", 93 | "tactic": "persistence", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1053", 104 | "tactic": "privilege-escalation", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1053.005", 115 | "tactic": "execution", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1053.005", 126 | "tactic": "persistence", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1053.005", 137 | "tactic": "privilege-escalation", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1106", 148 | "tactic": "execution", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1140", 159 | "tactic": "defense-evasion", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1555", 170 | "tactic": "credential-access", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1555.003", 181 | "tactic": "credential-access", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1055.012", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1055.012", 203 | "tactic": "privilege-escalation", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1620", 214 | "tactic": "defense-evasion", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1112", 225 | "tactic": "defense-evasion", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1548.002", 236 | "tactic": "privilege-escalation", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1548.002", 247 | "tactic": "defense-evasion", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1016", 258 | "tactic": "discovery", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1059.003", 269 | "tactic": "execution", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1059.005", 280 | "tactic": "execution", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1059.001", 291 | "tactic": "execution", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1070.004", 302 | "tactic": "defense-evasion", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1083", 313 | "tactic": "discovery", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1497.003", 324 | "tactic": "defense-evasion", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1497.003", 335 | "tactic": "discovery", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1204.002", 346 | "tactic": "execution", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1041", 357 | "tactic": "exfiltration", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1566.001", 368 | "tactic": "initial-access", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1027", 379 | "tactic": "defense-evasion", 380 | "score": 1, 381 | "color": "", 382 | "comment": "", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1027.002", 390 | "tactic": "defense-evasion", 391 | "score": 1, 392 | "color": "", 393 | "comment": "", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1056.001", 401 | "tactic": "collection", 402 | "score": 1, 403 | "color": "", 404 | "comment": "", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1056.001", 412 | "tactic": "credential-access", 413 | "score": 1, 414 | "color": "", 415 | "comment": "", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | }, 421 | { 422 | "techniqueID": "T1105", 423 | "tactic": "command-and-control", 424 | "score": 1, 425 | "color": "", 426 | "comment": "", 427 | "enabled": true, 428 | "metadata": [], 429 | "links": [], 430 | "showSubtechniques": false 431 | } 432 | ], 433 | "gradient": { 434 | "colors": [ 435 | "#ff6666ff", 436 | "#ffe766ff", 437 | "#8ec843ff" 438 | ], 439 | "minValue": 0, 440 | "maxValue": 100 441 | }, 442 | "legendItems": [], 443 | "metadata": [], 444 | "links": [], 445 | "showTacticRowBackground": false, 446 | "tacticRowBackground": "#dddddd", 447 | "selectTechniquesAcrossTactics": true, 448 | "selectSubtechniquesWithParent": false 449 | } -------------------------------------------------------------------------------- /Stealer Malware/OwaAuth.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "OwaAuth", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.4", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "OwaAuth TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)\n\nhttps://attack.mitre.org/software/S0072/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1071.001", 38 | "tactic": "command-and-control", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1036.005", 49 | "tactic": "defense-evasion", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1560.003", 60 | "tactic": "collection", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1070.006", 71 | "tactic": "defense-evasion", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1083", 82 | "tactic": "discovery", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1056.001", 93 | "tactic": "collection", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1056.001", 104 | "tactic": "credential-access", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1505.003", 115 | "tactic": "persistence", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1505.004", 126 | "tactic": "persistence", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | } 135 | ], 136 | "gradient": { 137 | "colors": [ 138 | "#ff6666ff", 139 | "#ffe766ff", 140 | "#8ec843ff" 141 | ], 142 | "minValue": 0, 143 | "maxValue": 100 144 | }, 145 | "legendItems": [], 146 | "metadata": [], 147 | "links": [], 148 | "showTacticRowBackground": false, 149 | "tacticRowBackground": "#dddddd", 150 | "selectTechniquesAcrossTactics": true, 151 | "selectSubtechniquesWithParent": false 152 | } -------------------------------------------------------------------------------- /Stealer Malware/QuietSieve.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "QuietSieve", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.4", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "QuietSieve TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)\n\nhttps://attack.mitre.org/software/S0686/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1113", 38 | "tactic": "collection", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1564.003", 49 | "tactic": "defense-evasion", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1135", 60 | "tactic": "discovery", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1120", 71 | "tactic": "discovery", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1071.001", 82 | "tactic": "command-and-control", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1005", 93 | "tactic": "collection", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1016.001", 104 | "tactic": "discovery", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1083", 115 | "tactic": "discovery", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1105", 126 | "tactic": "command-and-control", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | } 135 | ], 136 | "gradient": { 137 | "colors": [ 138 | "#ff6666ff", 139 | "#ffe766ff", 140 | "#8ec843ff" 141 | ], 142 | "minValue": 0, 143 | "maxValue": 100 144 | }, 145 | "legendItems": [], 146 | "metadata": [], 147 | "links": [], 148 | "showTacticRowBackground": false, 149 | "tacticRowBackground": "#dddddd", 150 | "selectTechniquesAcrossTactics": true, 151 | "selectSubtechniquesWithParent": false 152 | } -------------------------------------------------------------------------------- /Stealer Malware/README.md: -------------------------------------------------------------------------------- 1 | # Stealer Malware 2 | Heatmaps for Jester Stealer malware & seven other stealer malware currently included in the ATT&CK knowledge base, supporting the FIRSTCON22 conference talk "It's Just a Jump To The Left (of Boom)" 3 | 4 | Paste .json file contents into the "Threat Intelligence" dropdown on the **[Threat Alignment page](https://controlcompass.github.io/risk)** of the open-source [Control Validation Compass](https://controlcompass.github.io/) project, to instantly surface technical & policy controls and offensive security tests aligned with these techniques. 5 | 6 | Snapshot of the combined view of TTPs for all eight malware (json version [here](https://github.com/tropChaud/Cyber-Adversary-Heatmaps/blob/main/Stealer%20Malware/combined.json)): 7 | ![Combined Stealer Malware](https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/main/Stealer%20Malware/combined.png) 8 | -------------------------------------------------------------------------------- /Stealer Malware/ThiefQuest.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ThiefQuest", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.4", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "ThiefQuest TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)\n\nhttps://attack.mitre.org/software/S0595/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1543.004", 38 | "tactic": "persistence", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1543.004", 49 | "tactic": "privilege-escalation", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1543.001", 60 | "tactic": "persistence", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1543.001", 71 | "tactic": "privilege-escalation", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1564.001", 82 | "tactic": "defense-evasion", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1071.001", 93 | "tactic": "command-and-control", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1106", 104 | "tactic": "execution", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1562.001", 115 | "tactic": "defense-evasion", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1036.005", 126 | "tactic": "defense-evasion", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1620", 137 | "tactic": "defense-evasion", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1059.002", 148 | "tactic": "execution", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1497.003", 159 | "tactic": "defense-evasion", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1497.003", 170 | "tactic": "discovery", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1057", 181 | "tactic": "discovery", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1041", 192 | "tactic": "exfiltration", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1554", 203 | "tactic": "persistence", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1486", 214 | "tactic": "impact", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1056.001", 225 | "tactic": "collection", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1056.001", 236 | "tactic": "credential-access", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1518.001", 247 | "tactic": "discovery", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1622", 258 | "tactic": "defense-evasion", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1622", 269 | "tactic": "discovery", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1105", 280 | "tactic": "command-and-control", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | } 289 | ], 290 | "gradient": { 291 | "colors": [ 292 | "#ff6666ff", 293 | "#ffe766ff", 294 | "#8ec843ff" 295 | ], 296 | "minValue": 0, 297 | "maxValue": 100 298 | }, 299 | "legendItems": [], 300 | "metadata": [], 301 | "links": [], 302 | "showTacticRowBackground": false, 303 | "tacticRowBackground": "#dddddd", 304 | "selectTechniquesAcrossTactics": true, 305 | "selectSubtechniquesWithParent": false 306 | } -------------------------------------------------------------------------------- /Stealer Malware/Valak.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Valak", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.4", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "Valak TTPs sourced from ATT&CK knowledge base (ATT&CK Navigator)\n\nhttps://attack.mitre.org/software/S0476/\n\nPaste .json file contents into the \"Threat Intelligence\" dropdown here to instantly surface technical & policy controls and unit tests aligned with these techniques: https://controlcompass.github.io/risk\n\nCompiled by TropChaud June 2022. See more at https://github.com/tropChaud/Cyber-Adversary-Heatmaps", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [ 36 | { 37 | "techniqueID": "T1047", 38 | "tactic": "execution", 39 | "score": 1, 40 | "color": "", 41 | "comment": "", 42 | "enabled": true, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1113", 49 | "tactic": "collection", 50 | "score": 1, 51 | "color": "", 52 | "comment": "", 53 | "enabled": true, 54 | "metadata": [], 55 | "links": [], 56 | "showSubtechniques": false 57 | }, 58 | { 59 | "techniqueID": "T1033", 60 | "tactic": "discovery", 61 | "score": 1, 62 | "color": "", 63 | "comment": "", 64 | "enabled": true, 65 | "metadata": [], 66 | "links": [], 67 | "showSubtechniques": false 68 | }, 69 | { 70 | "techniqueID": "T1114.002", 71 | "tactic": "collection", 72 | "score": 1, 73 | "color": "", 74 | "comment": "", 75 | "enabled": true, 76 | "metadata": [], 77 | "links": [], 78 | "showSubtechniques": false 79 | }, 80 | { 81 | "techniqueID": "T1564.004", 82 | "tactic": "defense-evasion", 83 | "score": 1, 84 | "color": "", 85 | "comment": "", 86 | "enabled": true, 87 | "metadata": [], 88 | "links": [], 89 | "showSubtechniques": false 90 | }, 91 | { 92 | "techniqueID": "T1119", 93 | "tactic": "collection", 94 | "score": 1, 95 | "color": "", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [], 99 | "links": [], 100 | "showSubtechniques": false 101 | }, 102 | { 103 | "techniqueID": "T1082", 104 | "tactic": "discovery", 105 | "score": 1, 106 | "color": "", 107 | "comment": "", 108 | "enabled": true, 109 | "metadata": [], 110 | "links": [], 111 | "showSubtechniques": false 112 | }, 113 | { 114 | "techniqueID": "T1071.001", 115 | "tactic": "command-and-control", 116 | "score": 1, 117 | "color": "", 118 | "comment": "", 119 | "enabled": true, 120 | "metadata": [], 121 | "links": [], 122 | "showSubtechniques": false 123 | }, 124 | { 125 | "techniqueID": "T1053.005", 126 | "tactic": "execution", 127 | "score": 1, 128 | "color": "", 129 | "comment": "", 130 | "enabled": true, 131 | "metadata": [], 132 | "links": [], 133 | "showSubtechniques": false 134 | }, 135 | { 136 | "techniqueID": "T1053.005", 137 | "tactic": "persistence", 138 | "score": 1, 139 | "color": "", 140 | "comment": "", 141 | "enabled": true, 142 | "metadata": [], 143 | "links": [], 144 | "showSubtechniques": false 145 | }, 146 | { 147 | "techniqueID": "T1053.005", 148 | "tactic": "privilege-escalation", 149 | "score": 1, 150 | "color": "", 151 | "comment": "", 152 | "enabled": true, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1140", 159 | "tactic": "defense-evasion", 160 | "score": 1, 161 | "color": "", 162 | "comment": "", 163 | "enabled": true, 164 | "metadata": [], 165 | "links": [], 166 | "showSubtechniques": false 167 | }, 168 | { 169 | "techniqueID": "T1555.004", 170 | "tactic": "credential-access", 171 | "score": 1, 172 | "color": "", 173 | "comment": "", 174 | "enabled": true, 175 | "metadata": [], 176 | "links": [], 177 | "showSubtechniques": false 178 | }, 179 | { 180 | "techniqueID": "T1552.002", 181 | "tactic": "credential-access", 182 | "score": 1, 183 | "color": "", 184 | "comment": "", 185 | "enabled": true, 186 | "metadata": [], 187 | "links": [], 188 | "showSubtechniques": false 189 | }, 190 | { 191 | "techniqueID": "T1218.010", 192 | "tactic": "defense-evasion", 193 | "score": 1, 194 | "color": "", 195 | "comment": "", 196 | "enabled": true, 197 | "metadata": [], 198 | "links": [], 199 | "showSubtechniques": false 200 | }, 201 | { 202 | "techniqueID": "T1112", 203 | "tactic": "defense-evasion", 204 | "score": 1, 205 | "color": "", 206 | "comment": "", 207 | "enabled": true, 208 | "metadata": [], 209 | "links": [], 210 | "showSubtechniques": false 211 | }, 212 | { 213 | "techniqueID": "T1016", 214 | "tactic": "discovery", 215 | "score": 1, 216 | "color": "", 217 | "comment": "", 218 | "enabled": true, 219 | "metadata": [], 220 | "links": [], 221 | "showSubtechniques": false 222 | }, 223 | { 224 | "techniqueID": "T1087.002", 225 | "tactic": "discovery", 226 | "score": 1, 227 | "color": "", 228 | "comment": "", 229 | "enabled": true, 230 | "metadata": [], 231 | "links": [], 232 | "showSubtechniques": false 233 | }, 234 | { 235 | "techniqueID": "T1087.001", 236 | "tactic": "discovery", 237 | "score": 1, 238 | "color": "", 239 | "comment": "", 240 | "enabled": true, 241 | "metadata": [], 242 | "links": [], 243 | "showSubtechniques": false 244 | }, 245 | { 246 | "techniqueID": "T1059.001", 247 | "tactic": "execution", 248 | "score": 1, 249 | "color": "", 250 | "comment": "", 251 | "enabled": true, 252 | "metadata": [], 253 | "links": [], 254 | "showSubtechniques": false 255 | }, 256 | { 257 | "techniqueID": "T1059.007", 258 | "tactic": "execution", 259 | "score": 1, 260 | "color": "", 261 | "comment": "", 262 | "enabled": true, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1104", 269 | "tactic": "command-and-control", 270 | "score": 1, 271 | "color": "", 272 | "comment": "", 273 | "enabled": true, 274 | "metadata": [], 275 | "links": [], 276 | "showSubtechniques": false 277 | }, 278 | { 279 | "techniqueID": "T1204.002", 280 | "tactic": "execution", 281 | "score": 1, 282 | "color": "", 283 | "comment": "", 284 | "enabled": true, 285 | "metadata": [], 286 | "links": [], 287 | "showSubtechniques": false 288 | }, 289 | { 290 | "techniqueID": "T1057", 291 | "tactic": "discovery", 292 | "score": 1, 293 | "color": "", 294 | "comment": "", 295 | "enabled": true, 296 | "metadata": [], 297 | "links": [], 298 | "showSubtechniques": false 299 | }, 300 | { 301 | "techniqueID": "T1041", 302 | "tactic": "exfiltration", 303 | "score": 1, 304 | "color": "", 305 | "comment": "", 306 | "enabled": true, 307 | "metadata": [], 308 | "links": [], 309 | "showSubtechniques": false 310 | }, 311 | { 312 | "techniqueID": "T1566.002", 313 | "tactic": "initial-access", 314 | "score": 1, 315 | "color": "", 316 | "comment": "", 317 | "enabled": true, 318 | "metadata": [], 319 | "links": [], 320 | "showSubtechniques": false 321 | }, 322 | { 323 | "techniqueID": "T1566.001", 324 | "tactic": "initial-access", 325 | "score": 1, 326 | "color": "", 327 | "comment": "", 328 | "enabled": true, 329 | "metadata": [], 330 | "links": [], 331 | "showSubtechniques": false 332 | }, 333 | { 334 | "techniqueID": "T1559.002", 335 | "tactic": "execution", 336 | "score": 1, 337 | "color": "", 338 | "comment": "", 339 | "enabled": true, 340 | "metadata": [], 341 | "links": [], 342 | "showSubtechniques": false 343 | }, 344 | { 345 | "techniqueID": "T1027", 346 | "tactic": "defense-evasion", 347 | "score": 1, 348 | "color": "", 349 | "comment": "", 350 | "enabled": true, 351 | "metadata": [], 352 | "links": [], 353 | "showSubtechniques": false 354 | }, 355 | { 356 | "techniqueID": "T1027.002", 357 | "tactic": "defense-evasion", 358 | "score": 1, 359 | "color": "", 360 | "comment": "", 361 | "enabled": true, 362 | "metadata": [], 363 | "links": [], 364 | "showSubtechniques": false 365 | }, 366 | { 367 | "techniqueID": "T1012", 368 | "tactic": "discovery", 369 | "score": 1, 370 | "color": "", 371 | "comment": "", 372 | "enabled": true, 373 | "metadata": [], 374 | "links": [], 375 | "showSubtechniques": false 376 | }, 377 | { 378 | "techniqueID": "T1132.001", 379 | "tactic": "command-and-control", 380 | "score": 1, 381 | "color": "", 382 | "comment": "", 383 | "enabled": true, 384 | "metadata": [], 385 | "links": [], 386 | "showSubtechniques": false 387 | }, 388 | { 389 | "techniqueID": "T1518.001", 390 | "tactic": "discovery", 391 | "score": 1, 392 | "color": "", 393 | "comment": "", 394 | "enabled": true, 395 | "metadata": [], 396 | "links": [], 397 | "showSubtechniques": false 398 | }, 399 | { 400 | "techniqueID": "T1105", 401 | "tactic": "command-and-control", 402 | "score": 1, 403 | "color": "", 404 | "comment": "", 405 | "enabled": true, 406 | "metadata": [], 407 | "links": [], 408 | "showSubtechniques": false 409 | }, 410 | { 411 | "techniqueID": "T1008", 412 | "tactic": "command-and-control", 413 | "score": 1, 414 | "color": "", 415 | "comment": "", 416 | "enabled": true, 417 | "metadata": [], 418 | "links": [], 419 | "showSubtechniques": false 420 | } 421 | ], 422 | "gradient": { 423 | "colors": [ 424 | "#ff6666ff", 425 | "#ffe766ff", 426 | "#8ec843ff" 427 | ], 428 | "minValue": 0, 429 | "maxValue": 100 430 | }, 431 | "legendItems": [], 432 | "metadata": [], 433 | "links": [], 434 | "showTacticRowBackground": false, 435 | "tacticRowBackground": "#dddddd", 436 | "selectTechniquesAcrossTactics": true, 437 | "selectSubtechniquesWithParent": false 438 | } -------------------------------------------------------------------------------- /Stealer Malware/combined.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tropChaud/Cyber-Adversary-Heatmaps/1f4490ca6a11a26a410d8d976e332d4589403053/Stealer Malware/combined.png -------------------------------------------------------------------------------- /base.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "base", 3 | "versions": { 4 | "attack": "11", 5 | "navigator": "4.6.1", 6 | "layer": "4.3" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "macOS", 14 | "Windows", 15 | "PRE", 16 | "Containers", 17 | "Network", 18 | "Office 365", 19 | "SaaS", 20 | "Google Workspace", 21 | "IaaS", 22 | "Azure AD" 23 | ] 24 | }, 25 | "sorting": 0, 26 | "layout": { 27 | "layout": "side", 28 | "aggregateFunction": "max", 29 | "showID": false, 30 | "showName": true, 31 | "showAggregateScores": true, 32 | "countUnscored": false 33 | }, 34 | "hideDisabled": false, 35 | "techniques": [], 36 | "gradient": { 37 | "colors": [ 38 | "#ffffff", 39 | "#ff6666" 40 | ], 41 | "minValue": 0, 42 | "maxValue": 1 43 | }, 44 | "legendItems": [], 45 | "metadata": [], 46 | "links": [], 47 | "showTacticRowBackground": false, 48 | "tacticRowBackground": "#dddddd", 49 | "selectTechniquesAcrossTactics": true, 50 | "selectSubtechniquesWithParent": false 51 | } 52 | --------------------------------------------------------------------------------